Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add sending payloads for POP and IMAP for starttls injection

Browse Source 
* todo: parse the return strings for detection
* test ;-)
* check whether the random char thing works under every OS supported
* definition of five_random var
This commit is contained in:
Dirk Wetter 2020-08-29 10:20:35 +02:00
parent 5560e17b01
commit a65e55522f
1 changed files with 27 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
testssl.sh
View File

@ -10533,6 +10533,7 @@ starttls_ftp_dialog() {
} }
# argv1: empty: SMTP, "lmtp" : LMTP # argv1: empty: SMTP, "lmtp" : LMTP
# argv2: payload for STARTTLS injection test
# #
starttls_smtp_dialog() { starttls_smtp_dialog() {
local greet_str="EHLO testssl.sh" local greet_str="EHLO testssl.sh"
@ -10542,10 +10543,7 @@ starttls_smtp_dialog() {
local -i ret=0 local -i ret=0
"$SNEAKY" && greet_str="EHLO google.com" "$SNEAKY" && greet_str="EHLO google.com"
if [[ -n "$2" ]]; then [[ -n "$2" ]] && starttls="$starttls\r\n$1" # this adds a payload if supplied
# Here we can supply and addtional command after STARTTLS for injection tests
starttls="STARTTLS\r\n$2"
fi
if [[ "$1" == lmtp ]]; then if [[ "$1" == lmtp ]]; then
proto="lmtp" proto="lmtp"
greet_str="LHLO" greet_str="LHLO"
@ -10562,10 +10560,13 @@ starttls_smtp_dialog() {
return $ret return $ret
} }
# argv1: payload for STARTTLS injection test
#
starttls_pop3_dialog() { starttls_pop3_dialog() {
local -i ret=0 local -i ret=0
local starttls="STLS" local starttls="STLS"
[[ -n "$1" ]] && starttls="$starttls\r\n$1" # this adds a payload if supplied
debugme echo "=== starting pop3 STARTTLS dialog ===" debugme echo "=== starting pop3 STARTTLS dialog ==="
starttls_full_read '^\+OK' '^\+OK' '' "received server greeting" && starttls_full_read '^\+OK' '^\+OK' '' "received server greeting" &&
starttls_just_send "$starttls" "initiated STARTTLS" && starttls_just_send "$starttls" "initiated STARTTLS" &&
@ -10575,11 +10576,14 @@ starttls_pop3_dialog() {
return $ret return $ret
} }
# argv1: payload for STARTTLS injection test
#
starttls_imap_dialog() { starttls_imap_dialog() {
local -i ret=0 local -i ret=0
local reSTARTTLS='^\* CAPABILITY(( .*)? IMAP4rev1( .*)? STARTTLS(.*)?|( .*)? STARTTLS( .*)? IMAP4rev1(.*)?)$' local reSTARTTLS='^\* CAPABILITY(( .*)? IMAP4rev1( .*)? STARTTLS(.*)?|( .*)? STARTTLS( .*)? IMAP4rev1(.*)?)$'
local starttls="a002 STARTTLS" local starttls="a002 STARTTLS"
[[ -n "$1" ]] && starttls="$starttls\r\n$1" # this adds a payload if supplied
debugme echo "=== starting imap STARTTLS dialog ===" debugme echo "=== starting imap STARTTLS dialog ==="
starttls_full_read '^\* ' '^\* OK ' '' "received server greeting" && starttls_full_read '^\* ' '^\* OK ' '' "received server greeting" &&
starttls_just_send 'a001 CAPABILITY' "sent CAPABILITY" && starttls_just_send 'a001 CAPABILITY' "sent CAPABILITY" &&
@ -10736,13 +10740,13 @@ fd_socket() {
starttls_smtp_dialog lmtp starttls_smtp_dialog lmtp
;; ;;
pop3|pop3s) # POP, see https://tools.ietf.org/html/rfc2595 pop3|pop3s) # POP, see https://tools.ietf.org/html/rfc2595
starttls_pop3_dialog starttls_pop3_dialog "$payload"
;; ;;
nntp|nntps) # NNTP, see https://tools.ietf.org/html/rfc4642 nntp|nntps) # NNTP, see https://tools.ietf.org/html/rfc4642
starttls_nntp_dialog starttls_nntp_dialog
;; ;;
imap|imaps) # IMAP, https://tools.ietf.org/html/rfc2595, https://tools.ietf.org/html/rfc3501 imap|imaps) # IMAP, https://tools.ietf.org/html/rfc2595, https://tools.ietf.org/html/rfc3501
starttls_imap_dialog starttls_imap_dialog "$payload"
;; ;;
irc|ircs) # IRC, https://ircv3.net/specs/extensions/tls-3.1.html, https://ircv3.net/specs/core/capability-negotiation.html irc|ircs) # IRC, https://ircv3.net/specs/extensions/tls-3.1.html, https://ircv3.net/specs/core/capability-negotiation.html
fatal "FIXME: IRC+STARTTLS not yet supported" $ERR_NOSUPPORT fatal "FIXME: IRC+STARTTLS not yet supported" $ERR_NOSUPPORT
@ -17822,7 +17826,20 @@ run_starttls_injection() {
uds=$TEMPDIR/uds uds=$TEMPDIR/uds
fd_socket 5 "EHLO google.com" case $proto in
smtp) fd_socket 5 "EHLO google.com"
;;
pop) fd_socket 5 "CAPA"
;;
imap)
#FIXME: check all BSDs:
five_random=$(tr -dc '[:upper:]' < /dev/urandom | dd bs=5 count=1 2>/dev/null)
fd_socket 5 "$five_random NOOP"
;;
*) outln "STARTTLS injection test doesn't work for $proto, yet"
fileout "$jsonID" "INFO" "STARTTLS injection test doesn't work for $proto" "$cve" "$cwe" "$hint"
;;
esac
$SOCAT FD:5 UNIX-LISTEN:$uds & $SOCAT FD:5 UNIX-LISTEN:$uds &
socat_pid=$! socat_pid=$!
@ -17831,12 +17848,14 @@ run_starttls_injection() {
else else
openssl_bin=$OPENSSL2 openssl_bin=$OPENSSL2
fi fi
# normally the interesting fallback we grep later for is in fd2 but we'll catch all here # normally the interesting fallback we grep later for is in fd2 but we'll catch also stdout here
$openssl_bin s_client -unix $uds >$TMPFILE 2>&1 & $openssl_bin s_client -unix $uds >$TMPFILE 2>&1 &
openssl_pid=$! openssl_pid=$!
sleep 1 sleep 1
[[ "$DEBUG" -ge 4 ]] && cat $TMPFILE [[ "$DEBUG" -ge 4 ]] && cat $TMPFILE
#FIXME: is the pattern sufficient for SMTP?
#FIXME: check POP / IMAP output for vulnerable servers
if grep -Eqa '^250-|^503 ' $TMPFILE; then if grep -Eqa '^250-|^503 ' $TMPFILE; then
out "likely " out "likely "
prln_svrty_high "VULNERABLE (NOT ok)" prln_svrty_high "VULNERABLE (NOT ok)"